欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

《深入理解Windows操作系统》笔记2  

程序员文章站 2022-06-04 15:53:56
...

SDK中有一个工具依赖性查找工具depends.exe可以看到进程的子系统类型。发现这个工具和VS6企业版中的MicrosoftVisualStudio6.0Tools中的Depends"C:\ProgramFiles\MicrosoftVisualStudio\Common\Tools\DEPENDS.EXE")是一样的。晕!!

Windows子系统:

1、环境子系统csrss.exe包括下列支持:

a)控制台文本窗口

b)创建或删除进程和线程

c)对16位虚拟DOS机进程的一部分支持

d)其他一些函数,比如gettempfiledefinedosdeviceexitwindowsex

2、内核模式设备驱动程序win32k.SYS包含:

a)窗口管理器,包括采集键盘,鼠标的输入

b)图形设备接口GDI(在NT4之前,作为用户模式windows子系统的一部分)

3、子系统DLL比如kernel32.DLLadvapi.DLLuser32.DLLGDI32.dll

4、图形设备驱动程序

USERGDI放在内核模式中,windows会不稳定吗?

答:在此NT4之前,一个错误指针会导致系统崩溃,将窗口管理器和GDI从用户模式迁移到了内核模式,不仅提高了性能,而且可以将稳定性降到最低!

Posix子系统

一个基于UNIX的可移植的操作系统接口的首字母缩写,这个POSIX标准有很多,Windows实现的是POSIX.1

POSIX子系统有助于将UNIX应用移植到windows平台上,然而,这个程序仍然被链接为可执行程序,不能调用windows函数。如果你需要unix移植到windows中并且可以调用windows函数,你需要购买UNIXTOWINDOWS的软件,比如www.MKSSOFTWARE.COM

如果要在windows编译链接一个posix程序,需要在SDK的中POSIX头文件和库文件中使用链接库psxdll.DLL

OS/2子系统

支持有局限,如果OS/2中设计的硬件及高级视频IO代码,在windows上使用该子系统不可用。

原生的OS/21.2上有16M的内存限制。而在windows提供的OS/2中可以使用512M

硬件抽象层HAL

C:\WINDOWS\DriverCache\i386>dir

驱动器C中的卷没有标签。

卷的序列号是18F6-A188

C:\WINDOWS\DriverCache\i386的目录

2011-12-0510:36<DIR>.

2011-12-0510:36<DIR>..

2008-04-1420:0062,857,674driver.cab

2个文件83,085,231字节

2个目录146,253,623,296可用字节

如果打了SP3补丁,则在此CAB压缩包中有多个版本的HAL.DLL文件

C:\>dirntoskrnl.exe/a/s

驱动器C中的卷没有标签。

卷的序列号是18F6-A188

C:\WINDOWS\system32的目录

2008-04-1420:002,144,768ntoskrnl.exe

1个文件2,144,768字节

所列文件总数:

1个文件2,144,768字节

0个目录146,251,362,304可用字节



《深入理解Windows操作系统》笔记2
            
    
    
         

其中,我们发现ntoskrnl链接了HALHAL又链接了ntoskrnl,相互使用了对方的函数。Ntoskrnl也链接了BOOTVID.DLL,这个是用来实现GUI启动屏幕的引导视频驱动程序,在XP系统以后的环境中还有一个附加的DLLkdcom.DLL它包含了内核调试器的基础代码,在XP之前,它被包含在ntoskrnl.EXE中。

WINDOWS2000开始使用WDM驱动也就是windows驱动程序模型。从WDM来看,有三种驱动程序

1、总线型驱动:总线控制器,适配器,桥,带有子设备的设备提供服务器。比如PCI,USB

2、功能性驱动:这个是必须的,比如SCSI

3、过滤性驱动,一般只有OEM来提供放在总线型驱动之上。

C:\>pstat|more

Pstatversion0.3:memory:2882732kbuptime:03:33:12.531

nopagefilesinuse

Memory:2882732KAvail:1809228KTotalWs:808476KInRamKernel:2580KP:59176K

Commit:872612K/718480KLimit:2720228KPeak:936212KPoolN:48464KP:59484K

UserTimeKernelTimeWsFaultsCommitPriHndThdPidName

1699962309601FileCache

0:00:00.0006:19:14.04628000020IdleProcess

0:00:00.0000:02:03.82834413635528798874System

0:00:01.0150:00:00.03149632823211193612smss.exe

0:00:01.7650:00:12.4211058431486234013751131124csrss.exe

0:00:00.1400:00:00.31253005907813613526231156winlogon.exe

0:00:00.6560:00:01.79635801557818449321151200services.exe

0:00:01.6400:00:03.76513081679828409425161212lsass.exe

0:00:41.2340:00:08.625154605338171233008181331392avguard.exe

0:00:00.0460:00:00.015247665268883321572avshadow.exe

0:00:00.0460:00:00.15634169122076810041592ati2evxx.exe

0:00:00.0620:00:00.0465556174632408226181612svchost.exe

0:00:00.2340:00:00.2655024165220648351101672svchost.exe

0:00:00.5780:00:00.890390425888223681125128ati2evxx.exe

0:00:01.4210:00:01.0932184414256134688151657676svchost.exe

0:00:04.5000:00:00.65644007844203281076812svchost.exe

--More--

System进程在windows2000ID=8,windowsxp2003中,ID=4

《深入理解Windows操作系统》笔记2
            
    
    
         


《深入理解Windows操作系统》笔记2
            
    
    
         


C:\>livekd

LiveKdv5.0-Executekd/windbgonalivesystem

Sysinternals-www.sysinternals.com

Copyright(C)2000-2010MarkRussinovichandKenJohnson

LaunchingC:\ProgramFiles\DebuggingToolsforWindows(x86)\kd.exe:

Microsoft(R)WindowsDebuggerVersion6.12.0002.633X86

Copyright(c)MicrosoftCorporation.Allrightsreserved.

LoadingDumpFile[C:\WINDOWS\livekd.dmp]

KernelCompleteDumpFile:Fulladdressspaceisavailable

Comment:'LiveKDlivesystemview'

Symbolsearchpathis:srv*c:\Symbols*http://msdl.microsoft.com/download/symbols

Executablesearchpathis:

WindowsXPKernelVersion2600(ServicePack3)MP(2procs)Freex86compatible

Product:WinNt,suite:TerminalServerSingleUserTS

Builtby:2600.xpsp.080413-2111

MachineName:

Kernelbase=0x804d8000PsLoadedModuleList=0x8055e720

Debugsessiontime:SunFeb1310:34:57.89717420(UTC+8:00)

SystemUptime:0days3:40:13.673

WARNING:Processdirectorytablebase00722000doesn'tmatchCR30A9F06C0

WARNING:Processdirectorytablebase00722000doesn'tmatchCR30A9F06C0

LoadingKernelSymbols

...............................................................

................................................................

............

LoadingUserSymbols

Loadingunloadedmodulelist

...............

0:kd>0:kd>0:kd>

0:kd>

0:kd>!stacks0

Proc.Thread.ThreadTicksThreadStateBlocker

***ERROR:ModuleloadcompletedbutsymbolscouldnotbeloadedforLiveKdD.SYS

[8a36ba00System]

4.00004c8a362020ffffef52Blockednt!MiGatherPagefilePages+0x40

***ERROR:Moduleloadcompletedbutsymbolscouldnotbeloadedforsptd.sys

4.0000648a392bd800ce2c2Blockedsptd+0x874ee

4.0000688a39296000ce74fBlockedsptd+0x874ee

4.00006c8a3926e800ce74fBlockedsptd+0x874ee

***ERROR:ModuleloadcompletedbutsymbolscouldnotbeloadedforRtkHDAud.sy

s

4.00016c89d3cb0800ce5fcBlockedRtkHDAud+0x110e

4.00017089d3c89000ce5fcBlockedRtkHDAud+0x110e

4.00017489cc686800ce5fcBlockedRtkHDAud+0x110e

4.00017889cbdb0800ce5fcBlockedRtkHDAud+0x110e

4.00017c89cbcda800ce5fbBlockedRtkHDAud+0x110e

4.00018089cbc89000ce5fbBlockedRtkHDAud+0x110e

4.0001848a06f6e800ce5fbBlockedRtkHDAud+0x110e

4.00018889cbf7e8ffffe699BlockedRtkHDAud+0x110e

4.00018c89cbf5480004025BlockedRtkHDAud+0x49368

4.00019089cca5280003f4cBlockedRtkHDAud+0x43c98

!stacks0可以表示出system进程中的系统线程,可以找出一个线程的当前地址

Drivers可以列出每个已经被加载的设备驱动程序的基础地址

第一列表示进程ID和线程ID

第二列表示线程的当前地址

第三列表示线程是wait状态还是就绪状态,还是运行状态,还是运行状态

第四列表示该线程的堆栈中最顶上的地址,可以看出每个线程是哪个驱动程序中被启动起来的。

s

4.0005ac87cb346800c0e87Blockedavgntflt+0x16a8

4.0005b087cb31f00000082Blockedavgntflt+0x19ab

***ERROR:Moduleloadcompletedbutsymbolscouldnotbeloadedforhcmon.sys

4.0000c087a0772000cd9c8Blockedhcmon+0x1b7d

***ERROR:Moduleloadcompletedbutsymbolscouldnotbeloadedforvmx86.sys

4.0000d487bc13c800cd9c6Blockedvmx86+0x3a9d

4.000d2487a25020fffff285BlockedHTTP!UlpScavengerThread+0x5d

***ERROR:ModuleloadcompletedbutsymbolscouldnotbeloadedforPECKP.SYS

4.000da0878737f000c1ed7BlockedPECKP+0x1234a

[899a3370smss.exe]

***ERROR:Moduleloadcompletedbutsymbolscouldnotbeloadedforati2mtag.sy

s

[88242da0csrss.exe]

464.000470884046e800ce2c8Blockedati2mtag+0x4b1c

464.00047c88229da8ffffffe1Blockednt!KiFastCallEntry+0xfc

464.00048c88400d10ffffd5a6Blockednt!KiFastCallEntry+0xfc

464.0004948821da30ffffd59bBlockedwin32k!xxxMsgWaitForMultipleObjects+0x

b0

464.0004f487ce45f0ffffb3c5Blockednt!KiFastCallEntry+0xfc

464.000ff08799abf8ffffb3b4Blockednt!KiFastCallEntry+0xfc

[88412470winlogon.exe]

484.0004ac8821cda8ffffd639Blockednt!KiFastCallEntry+0xfc

484.0007fc87c11270000003bBlockednt!KiFastCallEntry+0xfc

484.0003b887bde408ffffba64Blockednt!KiFastCallEntry+0xfc

484.000ba887cd3798ffffb995Blockednt!KiFastCallEntry+0xfc

484.00084c87ae9020ffffb94bBlockednt!KiFastCallEntry+0xfc

484.000cec8749eda8ffffbc62Blockednt!KiFastCallEntry+0xfc

484.00078487986bf000000fbBlocked

TYPEmismatchforthreadobjectat87436640

484.------NOETHREADDATA

484.------NOETHREADDATA

Unabletoread_ETHREADatfffffe50

[8821b410services.exe]

4b0.0004cc87cfcb30ffffb875Blockednt!KiFastCallEntry+0xfc

4b0.00052c87ccf5d8ffffbc7cBlockednt!KiFastCallEntry+0xfc

4b0.00054087cd1020ffffb3e1Blockednt!KiFastCallEntry+0xfc

4b0.00054c87650020ffffb360Blockednt!KiFastCallEntry+0xfc

4b0.000cac87695020ffffb35fBlockednt!KiFastCallEntry+0xfc

[87cf3418lsass.exe]

4bc.0004dc87cf05f0ffffb5c0Blockednt!KiFastCallEntry+0xfc

4bc.0004f087ce4868ffffbc70Blockednt!KiFastCallEntry+0xfc

4bc.0005088821ebb8ffffd5cdBlocked+0x8821ebb8

4bc.00052887cd6da8ffffb74aBlockednt!KiFastCallEntry+0xfc

[87cbfb38avguard.exe]

570.0005a487cc1da8ffffb3a3Blockednt!KiFastCallEntry+0xfc

570.0005b487cafcd0ffffb35bBlockednt!KiFastCallEntry+0xfc

570.0005b887c9f8f0ffffb333Blockednt!KiFastCallEntry+0xfc

570.0005bc87ca94e8ffffb330Blockednt!KiFastCallEntry+0xfc

570.0005dc87c9dda8ffffb721Blockednt!KiFastCallEntry+0xfc

570.0005e487cc3b10ffffb392Blockednt!KiFastCallEntry+0xfc

570.0005ec87c68020ffffb5edBlockednt!KiFastCallEntry+0xfc

570.0005f487ca0458ffffb46dBlockednt!KiFastCallEntry+0xfc

570.0005fc87c8e338ffffb5b7Blockednt!KiFastCallEntry+0xfc

570.00060087c67718ffffb344Blockednt!KiFastCallEntry+0xfc

[87c56be0avshadow.exe]

[87c52420ati2evxx.exe]

[87c38320svchost.exe]

64c.00067887c284e8ffffb536Blockednt!KiFastCallEntry+0xfc

64c.00076c87ae28680001208Blockednt!KiFastCallEntry+0xfc

64c.0003588a277be80001208Blockednt!KiFastCallEntry+0xfc

64c.000764878f1da80001208Blockednt!KiFastCallEntry+0xfc

64c.00042c878f1b300001208Blockednt!KiFastCallEntry+0xfc

64c.00032487ae20200001208Blockednt!KiFastCallEntry+0xfc

64c.00031c87ae25f00001208Blockednt!KiFastCallEntry+0xfc

64c.0007b08a2763280000001Blockednt!KiFastCallEntry+0xfc

64c.000834878f05380001208Blockednt!KiFastCallEntry+0xfc

64c.0001d487662020ffffbb8cBlockednt!KiFastCallEntry+0xfc

[87c28be0svchost.exe]

688.000eec878e8020ffffb2afBlockednt!KiFastCallEntry+0xfc

688.000fa88768f020ffffb2adBlockednt!KiFastCallEntry+0xfc

688.000dcc8747ada8ffffb85fBlockednt!KiFastCallEntry+0xfc

[87c0da20ati2evxx.exe]

80.0003cc87bdcda8ffffb3f9Blockednt!KiFastCallEntry+0xfc

[87c02020svchost.exe]

2a4.0002a087c100200001208Blockednt!NtReadFile+0x55d

2a4.00032087bf25c80001208Blockednt!KiFastCallEntry+0xfc

2a4.0003e087bd9718ffffb91bBlockednt!KiFastCallEntry+0xfc

2a4.0003e887be45a80001208Blockednt!KiFastCallEntry+0xfc

2a4.0003f887bd5020000041cBlockednt!KiFastCallEntry+0xfc

2a4.00060887bd7da80001208Blockednt!KiFastCallEntry+0xfc

2a4.000658884240200001208Blockednt!KiFastCallEntry+0xfc

2a4.0006f887a0daa0ffffdb0fBlockednt!KiFastCallEntry+0xfc

2a4.0000b887bccda800000ddBlockednt!KiFastCallEntry+0xfc

2a4.0000b087bcea38ffffffebBlockednt!KiFastCallEntry+0xfc

2a4.0000b487a1bc40ffffe194Blockednt!KiFastCallEntry+0xfc

2a4.000534879288300000050Blockednt!KiFastCallEntry+0xfc

2a4.000a2887ae7bf8ffffb4d8Blockednt!KiFastCallEntry+0xfc

2a4.0008e087ae4270ffffb64cBlockednt!KiFastCallEntry+0xfc

2a4.0008e48795f2a0ffffb64cBlockednt!KiFastCallEntry+0xfc

2a4.0008e887ae23780001208Blockednt!KiFastCallEntry+0xfc

2a4.0009408a2738680001208Blockednt!KiFastCallEntry+0xfc

2a4.0009788a2725d80001208Blockednt!KiFastCallEntry+0xfc

2a4.0009948a2716d00001208Blockednt!KiFastCallEntry+0xfc

2a4.000be087c78da8ffffb4d9Blockednt!KiFastCallEntry+0xfc

2a4.000ee48a2b95000000975Blockednt!KiFastCallEntry+0xfc

2a4.0003f487875020ffffd71dBlockednt!KiFastCallEntry+0xfc

2a4.0009e48780c610ffffb22aBlockednt!KiFastCallEntry+0xfc

[87bf2348svchost.exe]

32c.000c388766ada8ffffb30dBlockednt!KiFastCallEntry+0xfc

32c.000b988764c3a0ffffb2e9Blockednt!KiFastCallEntry+0xfc

32c.000b3c87685020ffffb2e9Blockednt!KiFastCallEntry+0xfc

[87be5be0svchost.exe]

390.00036087756c10ffffb718Blockednt!KiFastCallEntry+0xfc

[87bd56a0sched.exe]

664.0006ac87bce5c80001208Blockednt!NtReadFile+0x55d

664.0006b087bc9be80001208Blockednt!KiFastCallEntry+0xfc

664.0006b887bce3500001208Blockednt!KiFastCallEntry+0xfc

664.0006d087bd6c40000017dBlockednt!KiFastCallEntry+0xfc

[87a135a0inetinfo.exe]

104.00010887bc8a680001208Blockednt!NtReadFile+0x55d

104.00013087a0abe8ffffd921Blockednt!KiFastCallEntry+0xfc

104.00079c8799d470ffffb3b7Blockednt!KiFastCallEntry+0xfc

104.00038887996438ffffb492Blockednt!KiFastCallEntry+0xfc

104.0003bc879a4a500001208Blockednt!KiFastCallEntry+0xfc

104.0003c087b45da8ffffb478Blockednt!KiFastCallEntry+0xfc

[879fe988jqs.exe]

120.000134884265e80001208Blockednt!KiFastCallEntry+0xfc

120.00014487a104f8000028bBlockednt!MiDeferredUnlockPages+0x31

120.0001d8879f2c18ffffb193Blockednt!KiFastCallEntry+0xfc

[879e6020sqlservr.exe]

1bc.0002b087b86538ffffb235Blockednt!KiFastCallEntry+0xfc

1bc.0002f087b77020ffffb1edBlockednt!KiFastCallEntry+0xfc

[87b896a0sqlwriter.exe]

22c.000230879ddda80001208Blockednt!NtReadFile+0x55d

22c.000234879d79700001208Blockednt!KiFastCallEntry+0xfc

[879dfbe8vmware-authd.ex]

25c.000d4c87be03280000076Blockednt!KiFastCallEntry+0xfc

25c.000d5087bcb0200001208Blockednt!KiFastCallEntry+0xfc

25c.000d5487bcbda80001208Blockednt!KiFastCallEntry+0xfc

25c.000f9087b63970ffffb2ccBlockednt!KiFastCallEntry+0xfc

[879c8da0vmount2.exe]

2f8.00033887b71020ffffb265Blockednt!KiFastCallEntry+0xfc

[879bcda0vmnat.exe]

[879ae4e0vmnetdhcp.exe]

[87a5d4e0explorer.exe]

a88.000ae087b03da80000b69Blockednt!KiFastCallEntry+0xfc

a88.00085087c0a020ffffb44bBlockednt!KiFastCallEntry+0xfc

a88.0001ec87ade6b0000054fBlockednt!KiFastCallEntry+0xfc

[87b20880RTHDCPL.EXE]

[8796fbe0MOM.exe]

b1c.000b3487a36da80001208Blockednt!KiFastCallEntry+0xfc

b1c.000fec87b6fda8ffffb268Blockednt!KiFastCallEntry+0xfc

b1c.00044487978c00ffffb3a2Blockednt!KiFastCallEntry+0xfc

b1c.0004588823f3280001208Blockednt!KiFastCallEntry+0xfc

b1c.00045c8823d0200001208Blockednt!KiFastCallEntry+0xfc

b1c.0008a087ae8da8ffffb37bBlockednt!KiFastCallEntry+0xfc

TYPEmismatchforthreadobjectat87642020

b1c.------NOETHREADDATA

TYPEmismatchforthreadobjectat8a308140

b1c.------NOETHREADDATA

b1c.------NOETHREADDATA

Unabletoread_ETHREADat85ffe53

[8796cb40GooglePinyinDae]

b2c.000b608a1bc4c00001208Blockednt!KiFastCallEntry+0xfc

b2c.000b648a1bc8a80001208Blockednt!IopXxxControlFile+0x5c5

b2c.000b68884052c0ffffd9aeBlockednt!KiFastCallEntry+0xfc

b2c.000bc487bd0bf800002eeBlockednt!KiFastCallEntry+0xfc

b2c.000de0876ad020ffffb14fBlockednt!KiFastCallEntry+0xfc

[88406da0SetPoint.exe]

b7c.00043487cb5be80001208Blockednt!KiFastCallEntry+0xfc

b7c.0006448a2bb9f80001208Blockednt!KiFastCallEntry+0xfc

[87bb84c8avgnt.exe]

bec.000d0887cb0a300001208Blockednt!KiFastCallEntry+0xfc

[87970418GooglePinyinSer]

[87b23da0ctfmon.exe]

c24.000c2887bf9618ffffb2e9Blockednt!KiFastCallEntry+0xfc

[87be14e0YodaoDict.exe]

d44.0002288a2bc86800000c0Blockednt!KiFastCallEntry+0xfc

d44.000f8487960020ffffb25eBlockednt!KiFastCallEntry+0xfc

d44.0009608a2757480001208Blockednt!KiFastCallEntry+0xfc

d44.000a608a2708b8ffffb0adBlockednt!KiFastCallEntry+0xfc

d44.000a6488235bf80001208Blockednt!KiFastCallEntry+0xfc

[87cfba30vmserverdWin32.]

d5c.000fe487c3cda8ffffb378Blockednt!KiFastCallEntry+0xfc

d5c.0007b887b44bf0ffffb7acBlockednt!KiFastCallEntry+0xfc

d5c.000ea887964bf0ffffb2e2Blockednt!KiFastCallEntry+0xfc

[879c0be0YoudaoNote.exe]

db4.00043c87a174800000610Blockednt!KiFastCallEntry+0xfc

db4.00085c87c98da80001208Blockednt!KiFastCallEntry+0xfc

db4.0008fc8a2779700001208Blockednt!KiFastCallEntry+0xfc

db4.00098087add4600001208Blockednt!KiFastCallEntry+0xfc

[88411020klive.exe]

df8.000ff487bcbb300001208Blockednt!KiFastCallEntry+0xfc

df8.000ff8884113400001208Blockednt!KiFastCallEntry+0xfc

df8.000d9487acf850ffffb111Blockednt!KiFastCallEntry+0xfc

df8.000fcc87bcaa380001208Blockednt!IopXxxControlFile+0x5c5

df8.0000d88799f3980001208Blockednt!IopXxxControlFile+0x5c5

df8.0000ec89c46aa00001208Blockednt!IopXxxControlFile+0x5c5

df8.000de487aafa78ffffb069Blockednt!KiFastCallEntry+0xfc

df8.000e9488402868ffffd5a9Blocked+0xa3f5ecec

df8.000a6c8781d868ffffb2ecBlockednt!KiFastCallEntry+0xfc

df8.0008f487aa7da8ffffb03fBlockednt!KiFastCallEntry+0xfc

df8.000594878a0a28ffffb04dBlockednt!KiFastCallEntry+0xfc

df8.0009fc8789f980ffffb449Blockednt!KiFastCallEntry+0xfc

df8.000a048789f490ffffb416Blockednt!KiFastCallEntry+0xfc

df8.000a548794f710ffffb06dBlockednt!KiFastCallEntry+0xfc

df8.000f3487a0a870ffffd9acBlockednt!KiFastCallEntry+0xfc

df8.000b28877f1b380001208Blockednt!KiFastCallEntry+0xfc

[87a53408CCC.exe]

414.00034c8796b4e0ffffb11bBlockednt!KiFastCallEntry+0xfc

414.00024087b6cc48ffffb341Blockednt!KiFastCallEntry+0xfc

414.00012c87436b30ffffb5c1BlockedLiveKdD+0x32fd

[87a52570KHALMNPR.exe]

4c0.0007108a27b6400001208Blockednt!KiFastCallEntry+0xfc

4c0.0007e887a327880001208Blockednt!KiFastCallEntry+0xfc

4c0.00080c8823ada80001208Blockednt!KiFastCallEntry+0xfc

4c0.00081087afe7480001208Blockednt!KiFastCallEntry+0xfc

4c0.0008208823a4300001208Blockednt!KiFastCallEntry+0xfc

4c0.0008d4878efda8ffffffe0Blockednt!KiFastCallEntry+0xfc

4c0.00040087ae2c000001208Blockednt!KiFastCallEntry+0xfc

[8796a3b8wmiprvse.exe]

[87ae4da0MDM.EXE]

90c.000930878eba30fffffffcBlockednt!KiFastCallEntry+0xfc

[8a277370alg.exe]

91c.00095c87adc4e80000603Blockednt!KiFastCallEntry+0xfc

[87a8a020conime.exe]

[8794cbe8dllhost.exe]

f94.000af887a63da8ffffb0d8Blockednt!KiFastCallEntry+0xfc

f94.000eb487a76288ffffafabBlockednt!KiFastCallEntry+0xfc

f94.00089c8788ada8ffffb0aaBlockednt!KiFastCallEntry+0xfc

f94.00090087881020ffffb12aBlockednt!KiFastCallEntry+0xfc

[8794b6b0dllhost.exe]

f5c.000f9c87a379100001208Blockednt!KiFastCallEntry+0xfc

f5c.000a308787a440ffffd6e2Blockednt!KiFastCallEntry+0xfc

f5c.000fe0878c2628ffffb235Blockednt!KiFastCallEntry+0xfc

f5c.000fa4877f62d0ffffb228Blockednt!KiFastCallEntry+0xfc

f5c.000c7487a81928ffffb14fBlockednt!KiFastCallEntry+0xfc

[87893da0msdtc.exe]

[87a959c0firefox.exe]

9bc.000a74876cf718ffffbb31Blockednt!KiFastCallEntry+0xfc

[877a9020plugin-containe]

[8773d258wps.exe]

a10.000dac877bf248ffffaef8Blockednt!KiFastCallEntry+0xfc

a10.00078887479da8ffffb481Blockednt!KiFastCallEntry+0xfc

[877c3020cmd.exe]

[8743da20wmiprvse.exe]

TYPEmismatchforthreadobjectat874a2428

fb4.------NOETHREADDATA

fb4.------NOETHREADDATA

Unabletoread_ETHREADatfe50

[877b05b8livekd.exe]

[87425800kd.exe]

f78.00071887470258ffffaed9RUNNINGLiveKdD+0x32fd

f78.000bd4874a6020fffff013Blockednt!KiFastCallEntry+0xfc

ThreadsProcessed:658

0:kd>

将系统线程映射到一个设备驱动程序上!

使用PEsystem进程上双击,可以看到SRV.SYS有多个线程在运行,按下module可以看到描述

会话管理器windows\system32\smss.EXE是系统中第一个创建的用户模式进程

服务有三种名称:进程名,注册表名,services管理工具的显示名。

Windows的关键组件是什么机制在运行:核心组件机制:对象管理器和同步机制。